Following a recent investigation by Sky News, it’s been revealed that PaymyPCN.net, a private firm which allows drivers to pay fines via its website and has a direct link to the Driver and Vehicle Licensing Agency (DVLA) database, had been affected by a backdoor which gave access to restricted information.
Although we’ve seen many headlines that highlight the danger posed by APTs and the like, it seems many organizations are still unprepared for attacks or unidentified weaknesses at a more basic level.
In the case of PaymyPCN.net, while motorist data and fine payments were encrypted once entered on the firm’s website, a backdoor left the underlying database wide open – providing access to private information provided to PayMyPCN.net by the DVLA. Although the information was encrypted, just as important is the control of access to the encrypted information – and this is where PayMyPCN.net appears to have failed. Encryption without access controls is of limited value – protecting only against physical loss or theft of a device with sensitive data.
Unfortunately, the compromised data, which included driver names, emails, photographs and addresses, is the type that can easily be used by hackers looking to launch subsequent social engineering scams.
Essentially, a failure to have complete knowledge of access and exposure points in the business network is a breach waiting to happen. Protecting data no matter where it is stored and to who it is transferred to requires a combination of technologies to combat sophisticated threats.
Deploying encryption and access control for data at rest, Database Activity Monitoring (DAM) and Security Information and Event Management (SIEM) to gather information on what is happening to data means that organisations can identify breaches as and when they occur, as well as spot compromised accounts and malicious insiders before it is too late.